How to assess your stakeholder matrix as part of a cloud security strategy
Running your organization in the cloud has many benefits: cost savings, efficiency gains, and the flexibility to scale, to name a few, along with some security drawbacks. This is where companies often encounter roadblocks to cloud adoption. On-premise security is traditionally defined by the tools that are used but this approach falls short in the cloud, where fragmented point solutions that may check boxes around security and compliance, create a security dissonance.
IT teams have a difficult or impossible time cobbling together a full picture of what their cloud security looks like at any point in time, and other stakeholders in the organization are effectively blind to what is happening in their cloud environment. This can result in gaping holes in cloud security and compliance postures, frustration, and perhaps even more serious consequences, should an attacker see an opportunity to take advantage.
This is why cloud security needs to take a strategy-first approach, where every tool purchased and solution leveraged fits into a bigger strategy that meets the needs of each stakeholder within the organization.
It’s important, not only from a cloud security perspective, but from a business perspective, to identify each stakeholder’s unique roles, needs, challenges, and expectations in order to build a comprehensive cloud security roadmap. This will paint a clear picture of ownership while also identifying which stakeholder’s buy-in is required when implementing any aspect of a cloud security strategy.
Four categories make up the security stakeholder matrix within an organization: executives, technology leaders, security leaders, and engineers. For each stakeholder within each category, there are five important questions to answer:
1. What is their role within the organization?
2. What is their primary focus?
3. What are their cloud security goals?
4. What are their challenges?
5. What do they want in a cloud security solution?
By answering each question with a specific stakeholder in mind, a comprehensive cloud security strategy can be created that goes beyond checking the boxes and ensures that all leaders in an organization feel invested in the strategy and confident in the cloud.
Here are some of the more common answers to these questions at each stakeholder level:
Executives (CEO, founder, principal, president, etc.)
Role: Business ownership and protecting the company’s reputation.
Primary focus: Making sure the team meets its business goals (e.g. entering a new market where privacy is a big deal).
Goals: Financial stability and success; Security coverage (check the box, don’t get breached).
Challenges: Ensuring customer and end-user trust, thereby minimizing vulnerability and driving business results.
What they want in a solution: Fills an immediate need, has a short time to value and clear benefits that support the primary focus.
Technology leaders (CTO, Technology Director, VP of Engineering)
Role: Developing and delivering a technology roadmap that helps the business accomplish its goals.
Primary focus: Managing technology resources to meet company goals.
Goals: Control costs, improve performance, protect investments, and meet compliance.
Challenges: Keeping a finger on the pulse of technology, prioritizing projects and resources, meeting aggressive deadlines and objectives, and putting out fires.
What they want in a solution: Visibility into what the security side of the house is doing, reasonable resource costs (set-up, maintenance, labor, etc.), and good value
Security leaders (CSO, Security Engineer, InfoSec, Incident Response, Compliance)
Role: Developing and delivering a security roadmap that helps the business secure its data and that of its customers/users.
Primary focus: Managing technology resources to meet company goals.
Goals: Control costs, improve performance, protect investments, meet compliance.
Challenges: Keeping a finger on the pulse of technology, prioritizing projects and resources, meeting aggressive deadlines and objectives, putting out fires.
What they want in a solution: That it’s quick to get up and running and something that the security team doesn’t mind using.
Engineers (DevOps, SecDevOps, Operations, Developer, Sysadmin, Architect)
Role: Operationalizing security, exploring cloud capabilities.
Primary focus: Delivering speed and efficiency to delight customers.
Goals: Real-life/real-day functionality; need to be efficient; keep systems up to date and working while scaling and growing in complexity; delighting customers; streamlining operations; continuous integration; enabling fast feedback.
Challenges: Engineering resources, manpower hours.
What they want in a solution: Efficiency, scalability, streamlined processes, and something that doesn’t slow down release cycles or hamper productivity.
Understanding the needs of everyone within the cloud security stakeholder matrix will not only lead to a strong security strategy, where the objectives outlined, tactics taken, and technologies employed meet the security needs of the business, but will also bring together leaders at every level, creating champions for its execution across an entire organization.